Debate over web-connected cars, driver privacy headed to Maryland

Kevin Rector, The Baltimore Sun

About one in five cars on American roadways connects to outside parties via cellular telephone networks, transmitting data on drivers' speeding and braking habits, their location, and their vehicle's health and performance. By 2025, AAA predicts, all new cars will.

Computers on board most vehicles on the road already collect and monitor such data, which can be downloaded at dealerships for repair purposes and shared with manufacturers, who say it's used to make cars safer and more reliable.

But civil liberties and driver advocacy organizations — including those in Maryland — are becoming concerned about how secure such data is, who has access to it and whether it may drive up repair costs. AAA Mid-Atlantic has identified the growth of so-called "connected cars" as the next big thing on its policy agenda in the state.

Much of the data collected by today's "computers on wheels" is capable of revealing "not only where you live and where you work, but where you drink and who your friends and lovers are, and where you worship," said Jay Stanley, a senior policy analyst with the American Civil Liberties Union. "It raises a lot of questions about who controls that data and who gets access to it."

Such questions come as drivers are connecting every day with more and more devices and apps that promise convenience on the road, industry observers say.

E-ZPass lets drivers move quickly through toll booths. Insurance companies — including AAA — offer discounted rates for drivers willing to use devices capable of transmitting data on their driving habits. The National Highway Traffic Safety Administration has pushed the use of "black boxes," which record driving data in the moments before an accident to enhance crash investigations and improve safety.

General Motors' OnStar and other such vehicular information systems provide a range of services, from crash notification and navigation to hands-free access to phones and email. They also can connect to a growing array of applications for everything from finding parking or a Starbucks to connecting to Facebook.

On its website, OnStar acknowledged that it collects a wide variety of information about its users and their vehicles, including their location and speed. It said it keeps the data as long as it wants and may use it "for any purpose or share it with any third party if we anonymize it so that it no longer reasonably identifies you or your vehicle."

Driver information can be shared with emergency service providers, with GM, with OnStar service providers and any third party with a legal request, according to its policy. Account and vehicle-related information can be shared with GM to "enable it to evaluate or research the safety, quality, usage, and functionality of its vehicles" or with third parties for "joint marketing initiatives."

AAA appreciates how the data can improve safety but would like to see more transparency from manufacturers about what is being collected and how it is shared, and more control over that data in the hands of vehicle owners, said Bernhard M. Koch, CEO of AAA Mid-Atlantic.

The driver advocacy group has yet to start crafting potential legislation in Maryland, he said, but wants to start a conversation about drivers' rights to privacy and access to the data.

"Consumers need to know what their cars know about them," said Nate Cardozo, a staff attorney with the Electronic Frontier Foundation, which defends civil liberties "in the digital world."

He warned it's "just a matter of time" before a data breach occurs with data collected by auto manufacturers. When it does, drivers won't know what personal information has been compromised because automakers don't disclose what they collect, he said.

Automakers have fought efforts in other states to force more data transparency, arguing that sharing too much information on their systems would only make them vulnerable.

Dan Gage, a spokesman for the Alliance of Automobile Manufacturers, said legislation on the issue now would be "premature," in part because "the last thing we want to do is restrict driving innovation."

The debate sets the stage for a lobbying battle in Annapolis and at the federal level in coming years as normally allied power brokers in the auto industry clash.

AAA boasts more than 50 million members nationwide and routinely sees its policy recommendations receive serious attention from legislators, though it has only spent about $800,000 on federal lobbying since 2013, according to OpenSecrets.org.

Gage's auto alliance, which says it represents General Motors and 11 other manufacturers responsible for more than three quarters of all car and light truck sales in the United States, has spent nearly $10 million on federal lobbying since 2013 and it isn't shying away from the data fight.

"If AAA is proposing policy changes, or proposing legislation in any state, we would be very, very interested," Gage said. "It's very important that automakers have a very early and direct role in the development of that policy."

The issue isn't new. The Maryland Transportation Authority has been blocked for years from sharing drivers' E-ZPass data with anyone except the account holder, his or her attorney, contractors who need to access the data as part of the system's operations, and those who file valid subpoenas for the data. The agency generally only keeps data for two years, said spokeswoman Rebecca Freeberger.

Civil liberties groups are increasingly raising questions about the active radio-frequency identification — RFID — chips located within E-ZPass devices, which can broadcast identifying information to anyone with a reader, said the ACLU's Stanley.

"If you set up enough readers you could get to the point where you could really follow people around and perhaps link that with their actual identity," he said.

With connected cars, who has access to the data collected is at the center of the argument.

Vehicle owners have restricted access to most of it, often through licensed dealers. The ACLU and groups representing independent auto repair shops claim manufacturers are driving up repair and maintenance costs by restricting access to critical vehicle systems.

"The principle should be that any computers included in the car that you buy belong to you — just like the laptop in the seat next to you belongs to you — and you should have ownership and access to that data," Stanley said.

Manufacturers say the technology drives innovation, making better-performing and safer cars, and note that data collection is unavoidable in today's world.

"Folks have to recognize that the vehicle of today is not the vehicle of 30 years ago. You have 30,000 components in a vehicle, and most of them have an electronic function," Gage said.

Some of the data, like that involving emissions, is required to be generated by law, Gage said. Other data, like that involving vehicle performance or driver habits, is remotely collected from vehicles with their owners' consent. Access is limited under manufacturers' or providers' policies to protect driver privacy, Gage said.

Consent is obtained usually in vehicle purchase contracts or through usage agreements for devices and applications.

Koch and Stanley said car buyers sign off on data collection policies amid a swirl of paperwork at dealerships, and sometimes misunderstand what they're agreeing to release.

"People need to know what their cars are recording and sharing," Stanley said. "That requires people to be genuinely informed, not some legalese buried deep in the middle of a manual."

Gage said manufacturers are "moving forward to try to increase that level of transparency."

However, the proprietary nature of many manufacturers' systems severely limits transparency, said Dorothy Glancy, a professor at Santa Clara University School of Law who studies the industry. Manufacturers rarely offer in-depth information into how their systems work and how they use the data they collect, said Glancy, who has worked with AAA and the Electronic Frontier Foundation on stalled legislation in California that would have given more access to vehicle systems to car owners and independent repair shops.

"The only thing that really protects privacy is really what's in the privacy policy or user agreement, and there are hundreds and hundreds of different kinds of user agreements, some of which are pretty outrageous," Glancy said.

A January report by the U.S. Government Accountability Office reviewing policies of 10 companies found nine shared location data with third-party companies, including traffic information providers. It also found that in some instances, privacy policies were "unclear, which could make it difficult for consumers to understand the privacy risks that may exist."

Gage said data is carefully safeguarded, both for the good of consumers and to protect the vast potential of such systems, which will become increasingly vital as more vehicles begin to control themselves and communicate with one another.

"We can't have autonomous vehicles, we can't have [vehicle-to-vehicle] technology, if we don't have secure data, so this process is one that has to move very securely and deliberately," he said.

Manufacturers oppose the push by AAA to open the proprietary systems to car owners and independent repair shops because that would open the door to "a whole host of security, cybersecurity, issues." The more people with access, the more potential there is for misuse, Gage said.

But the proprietary systems are making it more and more difficult for independent shops to compete with dealerships, said Stephen Powell, owner of Thoroughbred Auto Care in Scaggsville.

Powell said he has turned away customers with car troubles that can only be diagnosed and fixed with access to vehicle computer systems. As a member of the Council of Automotive Repair under the Washington, Maryland, Delaware Service Station and Automotive Repair Association, he said he constantly hears similar stories from other small shop owners.

While "right to repair" laws in other states, namely Massachusetts, have given independent mechanics across the country access to some manufacturer's computer systems — at a cost — many newer computer systems aren't covered under those laws.

"It's going to kind of sound that we're stomping our feet and crying foul because we're not in the game, but it's bigger than that," Powell said. "That information is really the vehicle owners' right to know and be able to release, and the manufacturers don't let that happen right now."

While AAA, an insurer with a burgeoning auto repair business, also would have a stake in seeing manufacturers open their systems to independent companies, Koch said it is pushing change because drivers deserve to be better informed.

"We still go back to the most important issue, which is awareness," he said. "That data is being collected on you and you don't know how that data is being shared."

Both Glancy and Gage think a resolution to the issue ultimately will have to come at the federal level.

"My sense is these are systems in automobiles that drive all over the country," she said. "A state-by-state approach is going to be difficult to manage."

Cardozo, of Electronic Frontier, said the debate should be simple.

"Today consumers don't know what their cars know about them," he said. "That's a problem."